PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-47277 runtipi CVE debrief

CVE-2026-47277 is a MEDIUM severity vulnerability in Runtipi, a personal homeserver orchestrator. Versions 4.9.1 through 4.9.3 are affected by an unauthenticated arbitrary file read issue. The vulnerability arises from Runtipi serving marketplace app logos from files inside cloned app-store repositories through a public endpoint. This allows attackers to exploit symlinks in the app store, potentially leading to the disclosure of sensitive local files from the Runtipi container, including JWT secrets, service credentials, and operational logs. The issue has been fixed in version 4.10.0.

Vendor
runtipi
Product
Unknown
CVSS
MEDIUM 6.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-17
Original CVE updated
2026-06-17
Advisory published
2026-06-17
Advisory updated
2026-06-17

Who should care

Administrators and users of Runtipi versions 4.9.1 through 4.9.3 should be aware of this vulnerability. Those responsible for maintaining or securing Runtipi installations should take immediate action to mitigate the risk.

Technical summary

The vulnerability in Runtipi (CVE-2026-47277) allows for unauthenticated arbitrary file reads due to the way it handles app logos from cloned repositories. Specifically, the path guard only checks the lexical path before Node reads the file, making it susceptible to symlink attacks. This means that an attacker could potentially access and disclose sensitive information from the Runtipi container by manipulating the app store's metadata.

Defensive priority

MEDIUM

Recommended defensive actions

  • Update Runtipi to version 4.10.0 or later to patch the vulnerability.
  • Restrict access to the endpoint serving app logos to authenticated users only.
  • Implement additional monitoring to detect and respond to potential exploitation attempts.
  • Review and harden the configuration of the Runtipi container to minimize exposure.
  • Regularly update and patch Runtipi installations to prevent exploitation of known vulnerabilities.

Evidence notes

The information provided is based on the CVE record and NVD details for CVE-2026-47277. The vulnerability was published on June 17, 2026, and last modified on the same day. The CVSS score is 6.5, indicating a MEDIUM severity level.

Official resources

CVE-2026-47277 was published and modified on June 17, 2026.